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Abstract 

First-order  structures  over  a  fixed  signature  Z  give  rise  to  a  family  of  trace-based  and  relational 
Kleene  algebras  with  tests  defined  in  terms  of  Tarskian  frames.  A  Tarskian  frame  is  a  Kripke 
frame  whose  states  are  valuations  of  program  variables  and  whose  atomic  actions  are  state 
changes  effected  by  variable  assignments  x  :=  e,  where  e  is  a  Z-term.  The  Kleene  algebras  with 
tests  that  arise  in  this  way  play  a  role  in  dynamic  model  theory  akin  to  the  role  played  by 
Lindenbaum  algebras  in  classical  first-order  model  theory.  Given  a  first-order  theory  T  over  Z, 
we  exhibit  a  Kripke  frame  U  whose  trace  algebra  Tr*y  is  universal  for  the  equational  theory  of 
Tarskian  trace  algebras  over  Z  satisfying  T7,  although  U  itself  is  not  Tarskian  in  general.  The 
corresponding  relation  algebra  Rel  u  is  not  universal  for  the  equational  theory  of  relation  algebras 
of  Tarskian  frames,  but  it  is  so  modulo  observational  equivalence. 
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1.  Dynamic  model  theory 

Traditional  model  theory  [3,4],  like  classical  predicate  logic,  is  static  in  nature.  Mod¬ 
els,  valuations  of  variables,  and  truth  values  of  predicates  are  regarded  as  fixed  and 
immutable.  Dynamic  model  theory,  on  the  other  hand,  is  the  study  of  abstract  models 
in  the  presence  of  explicit  operators  that  can  change  state.  State  change  is  typically 
effected  by  simple  assignments  x  :=  e  and  similar  constructs  that  are  explicit  in  the 
language.  In  addition,  the  language  often  provides  various  programming  and  data  con¬ 
structs  for  expressing  high-level  algorithmic  properties  of  structures. 
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Dynamic  model  theory  relates  to  dynamic  logic  and  other  programming  logics  as 
classical  model  theory  relates  to  classical  first-order  logic.  It  has  existed  as  a  field 
of  study  almost  as  long  as  programming  logics.  One  can  find  its  roots  in  the  early 
work  of  Andreka,  Nemeti  and  Sain,  Constable  and  O’Donnell,  Engeler,  Harel,  Meyer, 
Mirkowska,  Pratt,  Salwicki,  Stoulboushkin,  Tiuryn,  and  many  others;  see  [6]  and  ref¬ 
erences  therein. 

Dynamic  model  theory  focuses  on  general  algorithmic  properties  of  first-order 
Tarskian  structures,  such  as  halting  and  equivalence  of  program  schemes.  Traditional 
model  theory  has  had  a  profound  influence  on  the  development  of  the  subject.  For 
example,  one  interprets  formulas  and  programs  over  first-order  structures  as  in  the 
Tarskian  approach  to  the  model  theory  of  first-order  logic.  Perhaps  the  dominance  of 
denotational  over  operational  semantics  in  programming  languages  can  be  attributed  to 
this  influence  as  well. 

However,  there  are  some  fundamental  incompatibilities.  For  example,  there  are  very 
simple  and  ubiquitous  concepts  in  computer  science,  such  as  transitive  closure,  that 
cannot  be  expressed  in  first-order  logic.  Indeed,  probably  the  single  most  important  tool 
in  reasoning  about  programs  is  induction,  but  first-order  logic  is  incapable  of  handling 
it  in  general  structures.  In  dynamic  model  theory,  as  programs  and  computation  take  on 
greater  importance,  the  traditional  first-order  constructs  V  and  3  play  a  correspondingly 
lesser  role. 

In  this  paper,  we  continue  the  study  begun  in  [1,12]  of  the  general  properties  of 
trace-based  and  relational  Kleene  algebras  with  tests  (KAT)  that  arise  naturally  from 
first-order  structures.  Such  algebras  are  defined  in  terms  of  a  specialized  class  of 
Kripke  frames  called  Tarskian  frames.  A  Tarskian  frame  is  a  Kripke  frame  whose 
states  are  valuations  of  program  variables  and  whose  atomic  actions  are  state  changes 
that  arise  from  variable  assignments  x  :=  e,  where  e  is  a  term  over  some  fixed 
first-order  signature.  The  Kleene  algebras  with  tests  that  arise  in  this  way  play  a 
role  in  dynamic  model  theory  comparable  to  the  role  played  by  Findenbaum  al¬ 
gebras  (a  particular  subclass  of  Boolean  algebras)  in  classical  first-order  model 
theory. 

In  this  paper,  we  prove  the  following  results.  Fet  I  be  a  fixed  first-order  signature. 
Given  a  first-order  theory  T  over  Z,  we  exhibit  a  Kripke  frame  U  whose  trace  algebra 
Tr  u  is  universal  for  the  equational  theory  of  Tarskian  trace  algebras  over  Z  satisfying 
T,  although  U  itself  is  not  Tarskian  in  general.  The  corresponding  relation  algebra 
Rel u  is  not  universal  for  the  equational  theory  of  relation  algebras  of  Tarskian  frames, 
but  it  is  so  modulo  observational  equivalence. 

This  paper  is  organized  as  follows.  Sections  2  and  3  contain  background  material. 
In  Section  2,  we  review  the  syntax  of  propositional  and  first-order  (schematic)  Kleene 
algebra  with  tests  (KAT  and  SKAT,  respectively).  In  Section  3,  we  review  the  various 
semantic  interpretations  of  KAT  and  SKAT.  At  the  propositional  level,  we  recall  the 
definitions  of  Kripke  frames  and  relation  and  trace  algebras.  We  discuss  the  guarded 
string  model  and  its  particular  importance  in  the  theory  of  KAT.  We  also  discuss 
canonical  homomorphisms  and  recall  basic  results  on  the  equational  theories  of  these 
models.  At  the  first-order  level,  we  recall  the  definition  of  Tarskian  frames  over  a 
first-order  signature  Z. 


D.  Kozen  I  Science  of  Computer  Programming  51  (2004)  3-22 


5 


In  Section  4,  we  introduce  the  universal  frame  U  and  develop  some  of  its  basic 
properties,  including  the  notion  of  spectrum  of  a  first-order  structure.  Many  of  these 
properties  follow  from  more  general  propositional-level  considerations,  and  we  develop 
these  tools  in  Section  5,  including  the  notions  of  induced  subframes,  coherence,  and 
autobisimulation,  along  with  their  algebraic  consequences.  The  main  theorem  on  the 
universality  of  U  for  trace  algebras  of  Tarskian  frames  is  stated  in  Section  4  and 
proved  at  the  end  of  Section  5. 

In  Section  6  we  turn  to  relation  algebras.  We  show  that  the  universality  result  of 
Section  4  does  not  hold  for  relation  algebras  of  Tarskian  frames.  However,  it  does 
hold  modulo  observational  equivalence.  Again,  these  results  follow  from  more  general 
propositional  considerations,  which  we  develop  in  Section  7. 


2.  Syntax 

Kleene  algebra  (KA)  is  the  algebra  of  regular  expressions.  A  Kleene  algebra  with 
tests  (KAT)  is  a  Kleene  algebra  with  an  embedded  Boolean  subalgebra.  In  this  section 
we  describe  the  language  of  propositional  and  first-order  Kleene  algebra  with  tests. 

2.7.  Propositional 

Let  P  and  B  be  disjoint  sets  of  symbols  called  the  atomic  actions  and  atomic  tests , 
respectively.  Tests  are  Boolean  expressions  over  B  and  actions  are  regular  expressions 
over  P  and  tests.  Formally, 

tests  b,  c,  d, . . .  b  ::=  atomic  tests  |  b+c  |  be  |  b  |  0  |  1 

actions  p,  q,  r, . . .  p  ::=  atomic  actions  |  p+q  |  pq  |  p*  |  b 

The  set  of  all  actions  over  P  and  B  and  the  set  of  all  tests  over  B  are  denoted  RExpP  B 

and  BExpB,  respectively.  Note  that  the  latter  is  a  subset  of  the  former. 

Ordinary  programming  constructs  such  as  conditional  tests  and  while  loops  can  be 
encoded.  For  example,  while  b  do  p  is  (bp)*b.  The  Hoare  partial  correctness  assertion 
{b}  p  {c}  is  expressed  as  an  equation  bpc  =  0,  or  equivalently,  bp  =  bpc. 

2.2.  First  order 

For  interpretations  over  first-order  (Tarskian)  structures,  we  refine  the  language  of 
KAT  to  accommodate  first-order  terms  and  formulas.  The  resulting  system  is  called 
schematic  KAT  (SKAT)  [1]. 

Let  I  be  a  first-order  signature  consisting  of  function  symbols  /,$,...  and  relation 
symbols  P,Q,...,  each  with  a  fixed  arity.  We  also  have  infinitely  many  individual  first- 

order  variables  x,y, _ Individual  terms  are  denoted  d,e, ...  and  first-order  formulas 

are  denoted  <p, 

In  SKAT,  atomic  programs  P  are  assignments  x  :=  e,  where  x  is  a  variable  and  e 
is  a  Z-term,  and  atomic  tests  B  are  atomic  formulas  P(e\, . . .  ,en),  where  P  is  an  n- ary 
relation  symbol  of  Z  and  ei,...,en  are  Z’-terms. 

The  substitution  operator  that  simultaneously  substitutes  a  term  d  for  all  free  occur¬ 
rences  of  a  variable  x  is  denoted  [x/d].  The  substitution  operator  can  be  applied  to 
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either  terms  or  formulas,  as  in  e[x/d\  or  cp[x/d\.  Bound  variables  in  cp  are  implicitly 
renamed  to  avoid  capture. 

A  program  scheme  is  just  an  automaton  over  this  language  [11],  which  by  a  con¬ 
struction  analogous  to  Kleene’s  theorem  gives  an  equivalent  expression  in  RExpPB. 
Using  this  idea,  it  is  possible  to  give  an  alternative  algebraic  treatment  of  the  theory 
of  program  schemes  [1]. 


3.  Semantics 

3.1.  Kleene  algebra  with  tests 

A  Kleene  algebra  with  tests  (KAT)  is  a  two-sorted  structure  ( K ,  B ,  +,  •,  *,  ",  0,  1) 
such  that 

•  (K,  0,  1)  is  a  Kleene  algebra, 

•  ( B ,  +,  •,  ",  0,  1)  is  a  Boolean  algebra,  and 

•  ( B ,  +,  •,  0,  1)  is  a  subalgebra  of  (. K ,  +,  -,  0,  1). 

The  Boolean  complementation  operator  "  is  defined  only  on  B.  Elements  of  B  are 
called  tests.  These  algebras  were  introduced  in  [9]  and  their  theory  and  applications 
further  developed  in  [1,2,5,10,11,13-15]. 

Boolean  algebra  has  a  well-known  equational  axiomatization;  see  for  example  [3,4]. 
Kleene  algebra  has  a  quasiequational  axiomatization  consisting  of  equations  and  equa¬ 
tional  implications.  A  Kleene  algebra  ( K ,  +,  •,  *,  0,  1)  is  an  idempotent  semiring  un¬ 
der  +,-,0,1  such  that  p*q  is  the  ^ -least  solution  to  q  +  px^x  and  qp*  is  the  <- 

dcf 

least  solution  to  q  +  xp < x,  where  <  refers  to  the  natural  partial  order  p^qopf 
q  =  q.  A  Kleene  algebra  is  * -continuous  if  it  satisfies  the  stronger  infinitary  property 
pq*r=  supw  pq”r. 

Standard  examples  of  Kleene  algebras  include  the  family  of  regular  sets  over  a  finite 
alphabet,  the  family  of  binary  relations  on  a  set,  and  the  family  of  n  x  n  matrices  over 
another  Kleene  algebra.  Other  more  exotic  interpretations  include  the  min,+  algebra 
or  tropical  semiring  used  in  shortest  path  algorithms  and  models  consisting  of  convex 
polyhedra  used  in  computational  geometry.  All  these  models  are  * -continuous. 

The  axiomatization  for  KA  above  was  proposed  in  [8],  where  it  was  shown  that 
all  true  identities  between  regular  expressions  interpreted  as  regular  sets  of  strings  are 
derivable  from  the  axioms  of  Kleene  algebra.  Equivalently,  the  algebra  of  regular  sets 
of  strings  over  the  finite  alphabet  P  is  the  free  Kleene  algebra  on  generators  P.  The 
axioms  are  also  complete  for  the  equational  theory  of  relation  algebras. 

Analogous  results  exist  for  KAT,  which  we  describe  in  Section  3.7  below.  In  addi¬ 
tion,  KAT  is  deductively  complete  for  relationally  valid  propositional  Hoare-style  rules 
involving  partial  correctness  assertions  [10],  whereas  Hoare  logic  is  not. 

3.2.  Kripke  frames 

For  applications  in  program  verification,  one  usually  interprets  programs  and  tests 
over  a  KAT  consisting  of  sets  of  traces  or  sets  of  binary  relations  on  a  set  of  states. 
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Both  these  classes  of  algebras  are  defined  in  terms  of  Kripke  frames.  A  Kripke  frame 
over  a  set  of  atomic  programs  P  and  a  set  of  atomic  tests  B  is  a  structure  ( K ,  m^), 
where  K  is  a  set  of  states ,  :  P^2KxK,  and  :  P>^2K .  The  map  specifies  a 

canonical  interpretation  of  the  atomic  actions  and  tests. 

3.3.  Relation  algebras 

The  set  of  all  binary  relations  on  a  Kripke  frame  K  forms  a  KAT  under  the  standard 
binary  relation-theoretic  interpretation  of  the  KAT  operators.  The  operator  •  is  inter¬ 
preted  as  relational  composition  o,  +  as  union,  0  and  1  as  the  empty  relation  and  the 
identity  relation  on  K ,  respectively,  and  *  as  reflexive  transitive  closure.  The  Boolean 
elements  are  subsets  of  the  identity  relation.  This  is  called  the  full  relation  algebra  on 
K.  One  can  define  a  canonical  interpretation  [  ~\k  :  RExpP /B  — >  2KxK  by 

[p]jc  d=  mjc(p),  peP 

[b]jc  =f  {(u,u)  |  u  G  m^(b)},  beB 

extended  homomorphically.  A  binary  relation  is  regular  if  it  is  [p]^  for  some  p  G 
RExpp  B.  The  subalgebra  consisting  of  all  regular  binary  relations  on  K  is  denoted 

Rel*.  ' 


3.4.  Trace  algebras 

A  trace  in  a  Kripke  frame  K  is  a  sequence  sop0s\  •  •  •  sn-\pn_xsn,  where  n^ 0,  st  GK, 
p,  G  P,  and  (^,%i)em^(Pj)  for  0 —  1.  The  set  of  all  traces  in  K  is  denoted 
Traces^.  We  denote  traces  by  <t,t, ....  The  first  and  last  states  of  a  trace  o  are  denoted 
first(<j)  and  last(o-),  respectively.  If  last(a)  =  first(r),  we  can  fuse  o  and  t  to  get  the 
trace  cjt.  If  last(cr)  f  first(r),  then  ox  does  not  exist. 

The  powerset  of  Traces^  forms  a  KAT  in  which  +  is  interpreted  as  set  union,  •  as 
the  operation 


AB  ={ox  |  o  G  A,  x  e  B,  last(cr)  =  first(r)}, 

0  and  1  as  0  and  K ,  respectively,  and  A*  as  the  union  of  all  finite  powers  of  A.  The 
Boolean  elements  are  the  subsets  of  K ,  the  sets  of  traces  of  length  0.  This  is  called  the 
full  trace  algebra  on  K.  A  canonical  interpretation  [  ]|^  for  KAT  expressions  over  P 
and  B  is  given  by 

CpUjc  d=  {•sp^  I  (•«,  t)  G  tnjc(p)},  pGP 

M*  d=  mjf(b),  b  G  B, 

extended  homomorphically.  A  set  of  traces  is  regular  if  it  is  [p]^  for  some  KAT 
expression  p.  The  subalgebra  of  all  regular  sets  of  traces  of  K  is  denoted  Tr^. 
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3. 5.  Guarded  strings 

When  B  is  finite,  a  language-theoretic  interpretation  is  given  by  the  algebra  of  regular 
sets  of  guarded  strings  [7,14].  This  algebra  plays  the  same  role  in  KAT  that  the  algebra 
of  regular  sets  of  ordinary  strings  plays  in  KA. 

Let  Atomsg  denote  the  set  of  atoms  (minimal  nonzero  elements)  of  the  free  Boolean 
algebra  generated  by  B.  The  symbols  a,  /?, . . .  denote  atoms.  For  an  atom  a  and  a  test 
b,  note  that  a  ^  b  in  the  sense  of  KAT  iff  a  — »  b  is  a  propositional  tautology. 

A  guarded  string  over  P,  B  is  a  trace  in  the  Kripke  frame  G  whose  states  are  Atomsg 
and 


ttig(p)  =  Atomsg  x  Atomsg,  p  G  P 

def 

rriG(b)  =  {a  G  Atomsg  |  a  ^  b},  b  G  B. 

Thus  a  guarded  string  is  just  a  sequence  aoPo^i  •  •  •  ocw_ipw_1aw,  where  the  a*  G  Atomsg 
and  Pj  G  P,  and  TracesG  is  the  set  of  all  guarded  strings  over  P,  B.  Each  KAT  term 
p  G  RExpp  B  denotes  a  set  EpUg  of  guarded  strings  under  the  canonical  interpretation 
defined  in  Section  3.4.  A  guarded  string  a  is  itself  a  member  of  RExpP  B,  and  laj  q  = 

W- 

The  trace  algebra  T xG  of  regular  sets  of  guarded  strings  over  P,  B  forms  the  free 
Kleene  algebra  with  tests  on  generators  P,  B;  in  other  words,  EpIDg  =  I Mg  iff  P  =  q  is 
a  theorem  of  KAT  [14]. 

3. 6.  Canonical  homomorphisms 

If  K,K'  are  KATs  with  distinguished  canonical  interpretations  7:RExpPB^K  and 
/' :  RExpP  B  —>K',  a  homomorphism  h:K^K'  is  canonical  if  it  commutes  with  7  and 
/'.  In  particular,  a  homomorphism  involving  trace  or  relation  algebras  on  Kripke  frames 
over  P,  B  is  canonical  if  it  commutes  with  [  ]|^  and  [  ]^. 

An  example  of  a  canonical  homomorphism  is  the  map  Ext :  Tr^  — >  Rel^  defined  by 

Ext(^)  =f{(first((r),  last(<r))  |  o  G  A}.  (1) 

This  is  canonical  because  Ext(  [p]^)  =  [p]^  for  all  p  G  RExpP  B  [15,  Section  3.4]. 

Another  important  example  is  given  by  the  following  construction,  which  shows  that 
every  trace  algebra  is  canonically  isomorphic  to  a  relation  algebra.  This  construction 
is  a  straightforward  generalization  of  a  similar  construction  of  [16]  for  regular  sets  of 
strings  and  [14]  for  regular  sets  of  guarded  strings. 

Given  a  Kripke  frame  ( K ,  m^),  define  a  new  Kripke  frame  ( R ,  m^)  with 

R  =f  Traces^ 

def 

rcifi(p)  =  {(<7,  or)  |  ax  e  Traces*:,  t  e  [p]*:},  p  G  P 
m*(b)d=  {(7  e  Traces*:  |  last(cr)  e  Eb]]*:},  b  e  B. 
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For  A  C  Traces^,  define 

def 

h(A)  =  {(a,az)  |  az  G  Traces^,  z  G  A}. 


Lemma  3.1.  The  map  h  is  an  injective  KAT  homomorphism  from  the  full  trace  al¬ 
gebra  2Traces*  to  the  full  relation  algebra  2RxR.  Its  restriction  to  the  regular  trace 
algebra  Tr k  is  a  canonical  isomorphism  Tr^^Rel;?. 

Proof.  We  show  first  that  h  is  a  homomorphism. 


U  {(<7,  ot)  |  <jz  G  Traces^,  z  G  At} 


=  U  KAt\ 

i 

h(AB)  =  {(a,  azp)  |  azp  G  Traces^,  z  G  A,  p  G  B} 

=  {(a,  az)  |  <7T  G  Traces^,  z  C  A} 

o  {(ot,  azp)  |  crip  G  Traces^,  p  G  B} 

=  h(A)h(B). 

The  argument  for  *  follows  from  these  facts.  For  BCK , 
h(B)  =  h(K  -  B) 

=  {(cr,  az)  |  or  G  Traces^,  z  C  K  —  B} 

=  {(a,  o-)  |  (7  G  Traces^,  last(o-)  G  K  —  B} 

=  {( a ,  ff)|(7  G  Traces^}  —  {(cr,  a)  |  a  G  Traces^,  last(a)  G  B } 
=  {(a,  a)  |  a  G  Traces^}  —  {(cr,  ctt)  |  or  G  Traces^,  z  e  B} 

=  {(a,  a)  |  a  G  Traces^}  —  /*(£) 


=  A(*). 


The  additive  identities  of  2Traces*  and  2^XjR  are  the  empty  set  of  traces  and  the  empty 
relation,  respectively,  and 

h(0)  =  {( a,az )  |  az  G  Traces^,  z  G  0}  =  0. 

The  multiplicative  identities  of  2JraceSK  and  2^xi?  are  the  set  K  and  the  identity  relation 
on  R,  respectively,  and  the  argument  for  this  case  follows  from  the  above  two  facts. 
The  function  h  is  injective,  since  A  is  uniquely  recoverable  from  h{A)\ 


A  =  {z\  (first(r), t)  G  h(A)}. 
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To  show  that  the  restriction  of  h  to  JrK  is  canonical,  it  suffices  to  show  that  h  acts 
canonically  on  atomic  symbols;  that  is, 

h(lplK)=  [p]*,  p  e  p, 
h(  IMa:)  =  [bis,  beB. 

We  have 

h(  [p]^)  =  {(a,  gt)  |  gt  G  Traces^,  t  G  [p]^} 

=  m*(p) 

=  [p 1r, 


h(  [b]^)  =  {(cr,  gt)  |  gt  G  Traces^,  t  G  lbJK} 

=  {((7,  g )  |  g  G  Traces^,  last(cr)  G  [b]^} 

=  {( (7,(7 )  I  a  G  m*(b)} 

=  [b]*.  □ 

3.7.  Coincidence  of  the  equational  theories 

The  completeness  theorem  of  [14]  says  that  the  guarded  string  algebra  TrG  and 
its  associated  canonical  interpretation  [  JG  are  universal  for  Kleene  algebras  with 
tests  in  the  sense  that  for  any  KAT  K  and  interpretation  /:RExpPB^K,  there  is  a 
homomorphism  h:TrG^K  that  commutes  with  [  Jg  and  I.  In  particular,  the  free 
KAT  (RExpP  B/=,  BExpB/=)  on  generators  P,  B,  where  =  is  provable  equivalence,  is 
canonically  isomorphic  to  TrG-  This  says  that  p  =  q  in  all  Kleene  algebras  with  tests  if 
and  only  if  [p3g  =  I Mg- 

In  addition,  the  equational  theory  of  KAT  is  the  same  as  the  equational  theories  of 
trace  algebras  and  relation  algebras  [14].  Since  TrG  is  universal,  its  equational  theory 
is  contained  in  the  equational  theories  of  trace  algebras  and  relation  algebras;  and  the 
reverse  inclusions  follow  from  the  fact  that  TrG  is  itself  a  trace  algebra  and  canonically 
isomorphic  to  a  relation  algebra  by  Lemma  3.1. 


3.8.  Tarskian  frames 

At  the  first-order  level,  we  are  primarily  interested  in  interpretations  over  Kripke 
frames  of  a  special  form  defined  with  respect  to  first-order  structures  21  of  signa¬ 
ture  Z.  Such  frames  are  called  Tarskian.  A  state  of  a  Tarskian  frame  is  a  map 
s  :  {x,  y, . . .}  — >  1 21 1  assigning  a  value  to  each  variable.  Such  maps  are  commonly  called 
valuations  in  logic  and  model  theory  and  environments  in  computer  science.  These 
maps  extend  to  terms  and  formulas  inductively  in  the  usual  way,  thus  we  may 
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consider  a  valuation  s  variously  as  a  function  s  :  {terms}  — » |2l|  or  s  :  {formulas}  — >  {0, 1}. 
We  write  s  ¥  (p  if  s(cp)  =  1. 

The  action  of  the  assignment  x  :=  e  is  to  change  the  state  in  the  following  way. 
The  expression  e  is  evaluated  in  the  input  state  and  the  value  assigned  to  x,  and  the 
resulting  valuation  is  the  output  state.  To  define  this  formally,  we  define  s[x/a\  to  be 
the  valuation  that  agrees  with  s  everywhere  except  possibly  at  x,  where  it  takes  value 
a: 


s[x/a](x)  =  a, 

def 

s[x/ci](y)  =  s(y),  y  different  from  x. 

Then  the  behavior  of  the  assignment  x  :=  e  is  to  take  state  s  to  state  s[x/s(e)\. 

The  unary  operator  [x/a]  on  states  is  called  a  rebinding  operator.  It  is  not  to  be  con¬ 
fused  with  the  substitution  operator,  although  its  appearance  is  (intentionally)  similar. 
There  is  a  fundamental  relationship  between  substitution  and  rebinding:  for  any  term 
or  formula  E , 

s[x/s(e)](E)  =  s(E[x/e]).  (2) 

This  is  easily  proved  by  induction  on  the  structure  of  E. 

Given  a  first-order  structure  21  of  signature  E,  we  can  now  define  the  Tarskian  frame 
(K% i,  m^O  as  follows: 


K% i  =f  {valuations  over  21} 
ma(x  :=  e)  =  {(s,s[xls{e)\)  \seK,A} 
ma(P(ei, ...,e„))  =  [se^|.sN  P(eu ...,en)}. 

The  Tarskian  frame  K&  is  just  a  Kripke  frame,  and  as  such  gives  rise  to  a  regular 
relation  algebra  Rel^  and  a  regular  trace  algebra  Tr^t  as  described  in  Sections  3.3  and 
3.4.  The  set  of  all  traces  is  denoted  Traces^.  The  canonical  interpretations  associate 
sets  [p]gi  and  of  pairs  and  traces,  respectively,  with  the  term  p. 

We  are  interested  in  the  specialized  structure  of  trace  and  relation  algebras  of 
Tarskian  frames  as  an  algebraic  representation  of  first-order  program  schemes.  Note 
that  a  trace  in  K%  is  a  sequence  soPoN  •  •  •  sn-\pn_xsn,  where  si+  \  =^[x//^(^)]  if  pz-  is 
the  assignment  xz  :=  0 —  1.  Thus  a  trace  is  uniquely  determined  by  its  start 

state  and  its  sequence  of  atomic  actions. 


4.  Universal  frames 

The  importance  and  usefulness  of  the  guarded  string  model  in  propositional  KAT 
motivates  us  to  seek  a  similar  structure  that  plays  the  same  role  for  the  class  of  Tarskian 
models  and  SKAT.  We  propose  the  following  definition. 
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4.1.  Quantifier-free  types 

Let  T  be  a  fixed  first-order  theory  of  signature  I  (consistent  set  of  first-order  sen¬ 
tences  closed  under  entailment).  A  quantifier -free  type  (qf-type)  is  a  maximal  con¬ 
sistent  set  of  quantifier-free  formulas.  A  qf-type  of  T  is  a  qf-type  consistent  with  T. 
Quantifier-free  types  are  the  natural  analog  of  the  atoms  of  B  in  the  guarded  string 
model. 

Define  the  Kripke  frame  ( U. ,  m*y)  by 


U  =  {qf -types  of  T} 

m u(x  :=  e)=  {(A,{cp  \  cp[x/e ]  G  A})\  A  G  U} 
m u(P(eu...,en))  =  {A  G  U \P(eu...,en)  G  A}. 

For  the  definition  of  m u(x  :=  e)  to  make  sense,  the  set  {cp  \  cp[x/e]  eA}  had  better  be 
a  qf-type  of  T  whenever  A  is.  We  argue  this  below  (Corollary  4.2). 

We  will  ultimately  show  that  Tr u  is  universal  for  trace  algebras  of  Tarskian  frames 
over  models  of  T.  Unlike  the  propositional  case,  however,  this  is  not  true  for  relation 
algebras.  However  it  is  almost  true  in  a  sense  to  be  made  precise  in  Section  6.  The 
frame  U  itself  is  not  isomorphic  to  any  Tarskian  frame  in  general. 

Let  21  be  a  model  of  T.  For  any  valuation  s  over  21,  there  is  a  unique  qf-type  A(s) 
such  that  s  1=  A(s).  Note  that  A(s)e  U,  since  any  qf-type  realized  in  a  model  of  T  is 
consistent  with  T. 

Lemma  4.1.  A(s[x/s(e)])  =  {cp  \  cp[x/e]  e/l(s)}.  In  other  words ,  the  following  diagram 
commutes’. 


x  :=  e 


A 

A(s 


■s[x/s(e)] 

A 


X 


— *-A(s[a;/s(e)])  =  {(/?  |  <p[x/e]  G  A(s)} 


Proof.  This  is  essentially  a  restatement  of  the  relationship  between  substitution  and 
rebinding  (2).  □ 

Corollary  4.2.  If  A  eU,  then  {cp  \  (p[x/e\  e  A}  eU. 

Proof.  Suppose  A  G  U.  Let  21  be  a  model  of  T  realizing  the  type  A,  say  A  =  A(s).  By 
Lemma  4.1,  {cp  \  cp[x/e]  G  A}  =  A(s[x/s(e )])  G  U.  □ 

Now  extend  the  map  A  :  — >  U  to  traces 

def 

^(SoPo*l  •  •  •5„-lP„_i5„)  =  ^(^o)PoA(^i)  •  •  •  zl(5„_i)p„_1zl(5„). 
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Lemma  4.3.  For  any  trace  o  of  K%,  the  sequence  A(o)  is  a  trace  of  U. 

Proof.  We  need  to  only  argue  that  for  any  state  s,  (A(s),  A(s[x/s(e)]))  Cmu(x  :=  e). 
This  is  immediate  from  Lemma  4.1  and  the  definition  of  m^y.  □ 

By  Lemma  4.3,  we  may  consider  A  to  be  a  map  A  :  Traces^  — >  Traces u.  Now  for 
A  C  Traces*/,  define 

A~l(A)={a  e  Tracesa  |  A  (a)  e  A}. 

Our  main  theorem  is  the  following. 

Theorem  4.4.  A~l  is  a  canonical  KAT  homomorphism  Tr*y— ^Tr^.  Moreover ,  Tr u  is 
universal  for  the  equational  theory  of  Tarskian  trace  algebras  over  models  of  T  in 
the  following  sense.  For  all  p,q,  [p]]*y  =  [q Ju  if  and  only  if  Cpdl^t  =  DlqlDst  for  all 
models  21  of  T. 

Theorem  4.4  will  follow  from  some  fairly  general  considerations,  which  we  will 
develop  in  Section  5.  We  thus  defer  the  proof  of  Theorem  4.4  until  the  end  of  that 
section. 

4.2.  Spectra 

Let  21  be  a  model  of  T.  Define  the  spectrum  of  21  to  be  the  set  of  qf-types  realized 
in  21: 


spec  21  =  {zl(s)  |  s  G  t}. 

Then  spec  21 C  U,  since  every  qf-type  realized  in  21  is  consistent  with  T.  The  set  spec  21 
is  the  image  of  K%  in  U  under  A  and  gives  an  induced  subframe 

clef  o 

tnSpeca(*  :=  e )  =  mt/(*  :=  e )  (~l  (spec  2t) 

rlef 

mspec2t(P(^))  =  mu(P(e))  n  spec  21. 

Theorem  4.5.  The  map  A~l  :  Trspec  st  — >  Tr^t  is  a  canonical  isomorphism. 

Like  Theorem  4.4,  Theorem  4.5  holds  under  quite  general  conditions.  These  condi¬ 
tions  can  be  stated  and  proved  in  a  purely  propositional  framework,  so  we  again  defer 
the  proof  until  after  we  have  developed  the  requisite  tools. 


5.  Constructions  on  Kripke  frames 

In  this  section,  we  develop  the  machinery  that  will  be  used  in  the  proof  of  Theorems 
4.4  and  4.5. 
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5.1.  Induced  subframes 

Let  (Z,  rnx)  be  a  Kripke  frame  and  let  K  be  a  subset  of  L.  The  induced  subframe 
on  K  is  ( K ,  m^),  where 


tn^(b)  =  mi(b)n^ 

b  G  B 

(3) 

mx(p)d=mi(p)nJS:2, 

p  G  P. 

(4) 

We  say  that  a  binary  relation  R  on  L  preserves  K  if  t  G  K  whenever  s  G  K  and  (s,  t)  G  R. 

Lemma  5.1.  Let  (K,  xxik)  be  an  induced  subframe  of  ( L ,  m^)  such  that  all  atomic 
actions  rri/Xp)  preserve  K. 

(a)  The  map  Ah^Afl  Traces^  for  A  C  Traces/,  is  a  canonical  KAT  homomorphism 
Trz  — ^Tr^. 

(b)  The  map  A  i— »  AHK2  for  ACL2  is  a  canonical  KAT  homomorphism  Re  I/,  — ►  Rel^. 

Proof,  (a)  To  show  that  A  i— ►  A  D  Traces^  is  a  homomorphism  with  respect  to  the  KAT 
operations,  it  suffices  to  show  that  D  Traces^  =  |J fAj  D  Traces^),  (A  D  Traces^) 

(ZD  Traces^)  —  ABC  Traces^,  and  for^CZ,  (Z  —  A)  D  Traces^  =K  —  {A  n  Traces^). 
These  arguments  are  all  straightforward. 

The  map  is  canonical  on  T xp  since  it  is  a  homomorphism  and  since  it  acts  canonically 
on  atomic  symbols;  that  is,  D  Traces^  =  [p]^  and  l.blp  D  Traces^  =  [blK.  These 
two  equations  are  immediate  from  (3)  and  (4). 

(b)  The  relations  on  Z  that  preserve  K  form  a  sub- KAT  of  the  full  relation  algebra 

on  Z.  Moreover,  if  all  atomic  actions  mz(p)  preserve  K ,  then  this  algebra  contains 

Rel^  as  a  subalgebra.  To  show  that  A  i— >  ACK2  is  a  homomorphism  of  this  algebra 
with  respect  to  the  KAT  operations,  it  suffices  to  show  that  (f)iAi)C\K2  =  P\K2), 

( ACK2){BCK2)=ABCK 2,  and  for  A  a  subset  of  the  identity  relation  on  Z,  ({(u,  u)\ 
ueL}  -  A)nK2  =  ({(u,u)\ueL}  -  A)CK2  =  {(u,u)\ueK}  -  (A  OK2).  These  ar¬ 
guments  are  all  straightforward  except  for  the  inclusion  AB  H  K2  C  (A  D  K2  )(B  D  K 2  ), 
which  is  the  only  case  that  uses  the  assumption  regarding  the  preservation  of  K.  We 
argue  this  case  explicitly. 

(s,t)eABDK2 

=7*  Eli/  G  Z  (s,  u)  G  A ,  (i/,  /)  G  5,  s,t  G  K 

=4>  3u  G  K  (s,u)  G  A ,  (t/, 0  G  Z,  s,t  £  K  since  A  preserves  K 

=>  Eli/  (s,  u)  e  A  n  K 2,  (i/,  /)g5D  k2 
=>  (s,t)  G  (^n^2)(5ni2). 

Again,  A\-*ACK2  is  canonical  on  Rel/,  since  it  is  a  homomorphism  and  by  (3)  and 
(4)  acts  canonically  on  atomic  symbols;  that  is,  [p]pCK2  =  [p]^  and  \b\CK2  = 
[bk.  □ 
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Lemma  5.2.  Let  ^  be  a  collection  of  induced  subframes  of  a  frame  L  whose  union 
covers  L  such  that  each  subframe  in  is  preserved  under  atomic  actions  rry(p).  Then 
Tr  L  is  universal  for  the  equational  theory  of  \JrK  \Kcf?}  and  Rel^  is  universal  for 
the  equational  theory  of  {Rel^  |  K  cf?}  in  the  sense  that 

(i)  EpXl  =  Cq]z  O  for  all  KeW,  [p]|^  = 

(ii)  [p]Z/=[q]jL  <£>  for  all  K  £  #,  [pk  =  [q]^. 

Proof.  For  (i),  if  EpIDz,  =  [q]k,  then  IpIk  =  [qls:  for  all  Ke^,  since  there  is  a 
canonical  homomorphism  Tiy— >Trjr  by  Lemma  5.1(a).  Conversely,  if  Iphf  Eq]h, 
say  g  £  [q]/,—  IMz,  then  since  |J  ^  covers  Z,  there  exists  such  that  first(cr)  £  K. 

Since  the  atomic  actions  rry(p)  preserve  K,  g  is  a  trace  of  K.  Then  g  £  [q]^  D  Traces^ 
=  [q Ik  but  g  ^  [p]^  C  [p]z. 

The  proof  of  (ii)  is  similar.  □ 

Note  that  spec  21  is  an  induced  subframe  of  U,  and  if  spec  21 C  spec  23,  then  spec  21 
is  an  induced  subframe  of  spec  23. 

5.2.  Coherence 

Let  K,L  be  Kripke  frames  over  P,  B.  A  function  /  :K^L  is  said  to  be  coherent  if 

(i)  (s,  t )  £  m^(p)  ( f(s ),  f(t))  £  mz(p),  p  £  P; 

(ii)  s  £  m^(b)  o  f(s)  £  mL(b),  b  £  B. 

Condition  (i)  implies  that  /  can  be  extended  to  traces  / :  Traces^  — >  Traces/,: 

def 

/OoPo^  •  •  •■S'»-lP„-l'S,«)  =  /Cso)Po/Oi)-  •  ■ 

This  is  essentially  the  property  that  we  needed  of  A  in  the  proof  of  Lemma  4.3.  The 
function  /  is  said  to  be  onto  on  traces  if  its  extension  / :  Traces^  — >  Traces/,  is  onto. 
For  a  coherent  function  /  :K—*L  and  A  C  Traces^,  define 

f~\A)^{a  e  Traces*  |  f(a)  e  A}. 

Lemma  5.3.  If  f  :K—>L  is  coherent ,  then  f  1  is  a  KAT  homomorphism  on  the  full 
trace  algebras  of  K  and  Z,  and  its  restriction  to  the  regular  trace  algebra  Try  is  a 
canonical  homomorphism  Tiy— >Try.  If  in  addition  f  is  onto  on  traces ,  then  f~l  is 
one-to-one ,  therefore  f~l  :Tiy  — >Try  is  a  canonical  isomorphism. 

Proof.  First,  we  check  that  f~l  is  a  KAT  homomorphism.  It  follows  easily  from 
elementary  set-theoretic  arguments  that  f~l  commutes  with  the  Boolean  operations 
and  maps  Z  to  K.  For  concatenation,  since  f(rp)  =  /(t)/(p), 

aef-\AB)^f(a)eAB 

<£>  3t  3p  g  =  Tp,  /( t)  £  A,  f(p)  £  B 
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OBt  3p  (J  =  Tp,  T  G  /  1(4),  P  Cl  f  l(B) 

^ aef-\A)f~\B ). 

The  case  of  the  operator  *  follows  from  these  cases. 

To  show  that  f~l  restricted  to  JrL  is  canonical,  it  suffices  to  show  that  it  acts 
canonically  on  atomic  symbols;  that  is, 

/_1([p]|£)=  [p]*,  p  e  P, 

/■1([b]|i)=  [bljf,  beB. 

This  amounts  to  showing  that  for  all  s,t  eK, 

(0,0  e  m*(p)  and  (/0X/(0)  £  mz(p))<^0>0  ^  ™x(p),  p  G  P, 

/0)  G  xnL(b)4^s  e  m^(b),  beB 

which  are  exactly  properties  (i)  and  (ii)  in  the  definition  of  coherence. 

Finally,  we  show  that  f~l  is  one-to-one  whenever  /  is  onto  on  traces.  If  A,BC 
Traces i  and  A^B,  say  with  A  —  B^0,  then  since  /  is  onto  on  traces,  there  exists 
a  trace  a  of  K  such  that  f(a)cA  —  B.  Then  a  G  f~l{A  —  B)  =  f~l(A)  —  f~l(B ), 
therefore  f~l{A f~x{B).  □ 

5.3.  Autobisimulation 

By  Lemma  5.3,  in  order  to  prove  Theorem  4.5,  it  will  suffice  to  argue  that  the  map 
A  :K%i  — >spec  21  is  coherent  and  onto  on  traces.  For  the  latter  property,  we  establish  a 
general  sufficient  condition  based  on  the  notion  of  bisimulation. 

For  a  coherent  /  to  be  onto  on  traces,  the  original  f'.K^L  must  be  onto,  since 
each  single  state  of  L  is  a  trace.  Assuming  that  this  is  true,  every  trace  of  L  is  of 
the  form  f(so)Pof(si)---  f(sn-\)pn_if(sn).  We  need  to  be  able  to  construct  a  trace 
soPosi  ’ ' ' sn-iPn-iSn  °f  K  such  that  f(s')  =  f(Si).  This  will  be  possible  when  the 
function  /  is  obtained  from  an  autobisimulation. 

An  equivalence  relation  «  on  K  is  called  an  autobisimulation  if  it  satisfies  the 
following  two  properties: 

(i)  For  b  G  B,  if  s  ~s'  and  s  G  m^(b),  then  s'  G  m^(b). 

(ii)  For  p  G  P,  if  s  ~s'  and  (s,t)  G  m^(p),  then  there  exists  t'  such  that  G  m^(p) 

and  text'. 


I 

-t' 


P 
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def 

The  ^-equivalence  class  of  s  is  M  =  {t  \  s  «  t}.  Given  an  autobisimulation  «  on  K , 
one  can  define  a  quotient  frame  (X/~,  m^/~)  as  follows: 


K/&  =  {M  | seK} 
tnA7f=(b)  =f  {  [s]  I  .S'  G  tn/Kb)},  b  e  B 
tn^r/fsCp)  =  {( M ,  W  )  |  (s,  t )  e  m^(p)},  p  e  P. 

Lemma  5.4.  Let  «  an  autobisimulation  on  K  with  equivalence  classes  [  ] .  The 
map  [  ]  :K^K/&  is  coherent  and  onto  on  traces ,  therefore  [  ]_1  :Tr^/~— >Tr^  is 
a  canonical  isomorphism. 

Proof.  By  Lemma  5.3,  it  suffices  to  check  that  the  map  [  ]  is  coherent 

and  onto  on  traces.  It  is  easy  to  check  that  it  is  coherent  and  onto  on  single  states. 
Now  suppose  we  are  given  a  trace 

Ls0]Pol>i]  •  •  •  l>w— i]  P»— i  M 


of  K/tt.  We  wish  to  find  s'0,...,s'n  such  that  ^oPo^i  *  * m  sn-\Pn-ish  a  trace  °f  K  and 
Sjttsi9  O^i^n.  By  the  definition  of  m^/~(p),  for  each  /,  —  1,  there  exist 

s'/  and  s/f  such  that  (s/,s/f)  G  m^(pz),  s/t^Sf,  and  We  construct  s't  by 

induction  on  i.  To  start,  take  s'0=s o.  Now  suppose  we  have  constructed  a  prefix  of 
the  desired  trace  ending  with  s'  such  that  s'  ~S[.  Then  f  ~s/.  By  property  (ii)  of 
autobisimulations,  there  exists  s'i+l  such  that  (s-,s-+1)  G  m^p*)  and  s'i+l  ~s/f  ~Sj+\. 
We  have  extended  the  trace  by  one  step  and  maintained  the  invariant  s[  zesi.  □ 

At  this  point  we  are  ready  to  prove  our  main  theorems. 

Proof  of  Theorem  4.5.  Let  be  a  Tarskian  frame  over  a  model  of  T.  Checking 
the  conditions  of  coherence  for  the  map  A  :  K<%  — >  U,  we  observe  that 

(i)  (s,  t )  G  m2t(x  :=  e)  =>  (A(s),  A(t))  G  mt/(x  :=  e ),  since  A(s[x/s(e)])  =  {cp  \  (p\x/e\  G 
Zl(s)}  by  Lemma  4.1;  and 

(ii)  s  G  m zi(P(e))  P(e)  G  A(s)  by  definition  of  m $i(P(e)). 

By  Lemma  5.3,  A~l  :  Jxjj  — >  Tr^  and  A~l  :  Trspec  21  — » Tr^  are  canonical  homomor- 

dcf 

phisms.  Moreover,  by  Lemma  4.1,  the  relation  s  &  t  A(s)  =  A(t)  is  an  autobisimula¬ 
tion,  and  the  quotient  frame  K% (/«  is  isomorphic  to  ^spec2i,  therefore  by  Lemma  5.4, 
A~l  •  Trspec  st Tr^t  is  a  canonical  isomorphism.  □ 

Proof  of  Theorem  4.4.  For  every  model  21  of  T,  spec  21  is  an  induced  subframe  of  U, 
and  the  set  {spec  21 1  21  1=  T}  covers  U,  since  every  qf-type  of  T  is  realized  in  some 
model  of  T.  It  follows  from  Lemma  5.2  that  Try  is  universal  for  the  equational  theory 
of  {Trspec2t  |  21  I -  T}.  But  by  Theorem  4.5,  this  is  the  same  as  the  equational  theory 
of  {Tr^t  |  21  h  T},  since  T r^t  and  Trspec2i  are  canonically  isomorphic.  □ 
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The  frame  U,  although  universal  for  trace  algebras  of  Tarskian  frames  over  models 
of  T ,  is  not  itself  Tarskian.  One  might  ask  whether  a  universal  Tarskian  frame  exists. 
The  answer  is  yes,  provided  T  is  a  complete  theory:  take  a  qf-saturated  model  of  T  (one 
realizing  all  qf- types  consistent  with  T ).  If  T  is  not  complete,  then  the  answer  is  no  in 
general.  For  example,  if  T  is  generated  by  the  single  formula  ^  3x  P(x)\/  -i  3x  Q(x ), 
then  there  is  a  qf-type  of  T  containing  P(x)  and  one  containing  Q(x ),  since  both  are 
consistent  with  T,  but  there  is  no  single  model  of  T  containing  both  these  qf-types  in 
its  spectrum.  However,  the  answer  is  again  yes  if  we  amend  the  definition  of  Tarskian 
frame  to  allow  disjoint  unions  of  Tarskian  frames  as  defined  above.  In  this  case  we 
can  take  the  disjoint  union  of  qf-saturated  models,  one  for  each  complete  extension 
of  T. 


6.  Relation  algebras 

Unlike  the  propositional  case,  relation  and  trace  algebras  of  Tarskian  frames  do 
not  share  the  same  equational  theory.  Inclusion  does  hold  in  one  direction:  since 
Ext :  Tr^  — >  Rel^t  is  a  canonical  homomorphism,  the  equational  theory  of  trace  alge¬ 
bras  is  contained  in  the  equational  theory  of  relation  algebras  of  Tarskian  frames  (and 
in  fact  for  any  class  of  frames),  but  not  vice  versa.  Note  that  Lemma  3.1  does  not 
apply,  since  the  relation  algebra  on  Traces^  is  not  necessarily  Tarskian. 

The  axioms  of  SKAT  proposed  in  [1]  provide  some  counterexamples  for  the  reverse 
inclusion: 


x  \=  d ;  y  :=  e 
x  :=  d  ;  y  :=  e 
x  :=  d  ;  x  :=  e 
x  :=  e  ;  cp 
x  :=  x 


y  :=  e[x/d\ ;  x  :=  d  (y  £  FV(<i)), 
x  :=  d  ;  y  :=  e[x/d\  (x  ^  FV(<i)), 
x  :=  e[x/d\ , 

(p[x/e\ ;  x  :=  e, 

1, 


where  x  and  y  are  distinct  variables  and  FV(d)  denotes  the  set  of  variables  occurring 
in  d.  Special  cases  are  the  commutativity  conditions 


x  :=  d  ;  y  :=  e  =  y  :=  e  ;  x  :=  d  (x  ^  FV(e),  y  £  FV(d)), 

(p  ;  x  :=  e  =  x:=e;cp  (x  ^  FV(<p)). 

What  is  worse,  Rel u  is  not  universal  for  relation  algebras  of  Tarskian  frames,  so 

the  analog  of  Theorem  4.4  for  relation  algebras  does  not  hold.  To  see  this,  consider  a 

signature  consisting  of  constants  c,  d  and  unary  predicate  P.  Then 


[P(c)  ~  P(d) ;  x  :=  c]  u  =  L P(c )  <-►  P(d) ;  x  :=  d]  u,  (5) 

but  these  two  programs  are  not  equivalent  in  any  Tarskian  frame  in  which  c^d.  The 
model  U  has  essentially  eight  states,  depending  on  the  truth  values  of  P(c),  P(d ), 


D.  Kozen  I  Science  of  Computer  Programming  51  (2004)  3-22 


19 


and  P{x).  Here  is  an  illustration  of  relations  (5): 


However,  note  that  the  two  programs  of  (5)  are  observationally  equivalent — 
indistinguishable  by  any  formula  in  the  language.  This  indicates  that  the  relation  of 
equality  on  Rel^t  is  too  fine  in  that  it  distinguishes  programs  that  are  indistinguishable  in 
terms  of  the  preconditions  and  postconditions  satisfied  by  their  input  and  output  states. 
When  we  weaken  the  comparison  of  input/output  relations  to  observational  equivalence, 
then  Rel u  becomes  universal. 

As  with  the  main  results  of  Section  4,  this  result  follows  from  more  general  consid¬ 
erations,  so  we  defer  the  formal  statement  and  proof  until  the  end  of  Section  7. 


7.  More  constructions  on  Kripke  frames 

Let  «  be  an  autobisimulation  on  a  Kripke  frame  K.  For  binary  relations  R  and  S  on 
K ,  define  R  <  S  if  for  all  s9sf,t,  if  s^s'  and  (s,  t)eR,  then  there  exists  t'  such  that 
(40  £  S  and  t  ~  t' . 


R 


S 


i 

-f 


We  call  the  relations  R  and  S  bisimilar  with  respect  to  «  and  write  R  ~  S  if  both 
R  <  S  and  S  <  R.  Let  be  the  set  of  binary  relations  R  such  that  R~R. 

Lemma  7.1.  The  set  $)  forms  a  subalgebra  of  the  full  relation  algebra  on  K  and 
contains  Rel^  as  a  subalgebra. 

Proof.  It  is  straightforward  to  show  that  is  closed  under  all  the  KAT  operations. 
The  definition  of  autobisimulation  says  exactly  that  @  contains  the  generators  [p]^, 
p  G  P  and  [b]^,  b  G  B  of  Rel^,  therefore  contains  all  [p]^  G  Rel^.  □ 

The  significance  of  bisimilarity  is  that  it  is  a  KAT  congruence  on  Q),  and  the  quotient 
algebra  Rel^/^  is  isomorphic  to  Rel 
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Lemma  7.2.  Let  M  =  {t  \  s  «  t}.  For  Rc$),  define  [7?]  =  {( M ,  M )  |  (s,  t)eR}. 
The  map  [  ]  is  a  KAT  homomorphism  on  @)  and  its  kernel  is  the  relation  Re¬ 
stricted  to  Rel^,  [  ]  is  a  canonical  homomorphism  Rel^  — Rel^/-. 

Proof.  To  show  that  [  ]  is  a  KAT  homomorphism  on  (2),  it  suffices  to  show  that 
[U4']  =  UM,  W]  m  =  LABI,  and  for  A<Z{(u,u)\ueK],  L{(u,u)\ueK} - 
A]  =  {(u,  u)  |  u  GKj  —  [A] .  All  these  arguments  are  straightforward  except  for  the  in¬ 
clusion  [ A ]  [B]  C  \_AB ] .  This  is  the  only  place  that  uses  the  assumption  of  membership 
in  Q).  We  argue  this  case  explicitly: 

(M,  W)E  [A ]  l B ] 

=>3ii(M,[h])e  W],  (M,M)e  [5] 

=>  3u,u'  ,u" ,  s'  ,t"  ( s'  ,u ')  E  A,  (u",t")  E  7?,  u!  ~  u  ~  m^,  s  ^  s',  t  ~  t" 

=>  3u'  ,u" ,  s'  ,t"  ,t'  (s' ,u')  E  ^4,  (u',tf)  E  7?,  u'  «  m",  s  &  s',  t  ~  t"  ~  t' 
since  5  E  ^ 

=>  zLs,/,£/  (s' ,t')  E  ^47?,  s  s',  t  ^  t' 

=>(M,  W)E  Uffl. 

To  show  that  [  ]  is  canonical  on  Rel^,  it  suffices  to  show  that  it  acts  canonically  on 
atomic  symbols;  that  is,  [[p]^]  =  [p]^/w  and  [[b]^]  =  [b]^/~.  These  properties  are 
immediate  from  the  definition  of 

Finally,  to  show  that  ~  on  ^  is  the  kernel  of  [  ] ,  it  suffices  to  argue  that 

7?  <  5  o  {( M ,  M )  |  (*,  0  e  R}  c  {( M ,  W )  |  (*,  t)eS}. 

The  left-hand  side  and  right-hand  side  are  equivalent  to 

(i)  Vs  Vs'  Vt  stt s'  A(s,t)cR  =>  3t'  t^t',  and  (s',t')eS, 

(ii)  Vs  Vt  (s,  t)eR=>  3s'  3t'  s&s'  At&  t'  and  (s',  t')eS, 

respectively.  Now  (i)  implies  (ii)  by  taking  s'  =s.  For  the  converse,  suppose  s^s'  and 
(s,  t)  E  R.  By  (ii),  there  exist  s" ,  t"  such  that  s  «  s",  t « t",  and  (s" ,  t")  E  S.  Since  S 
S  ~S,  and  s'  ~ s  ~ s" ,  therefore  there  exists  t'  such  that  (s',  t')eS  and  t'  « t"  ^t.  □ 


Combining  (1)  and  Lemmas  5.4  and  7.2,  we  have  the  following  commutative  diagram 
that  captures  a  fundamental  relationship  between  trace  and  relation  algebras: 


Trjf  ■ 

Tr^/s 


Ext 


Relx 

[  ] 


Ext 


■  Rel 


(6) 


The  arrow  labeled  [  ]  1  is  an  isomorphism  by  Lemmas  5.3  and  5.4.  The  diagram 
commutes  because  all  the  homomorphisms  in  question  are  canonical. 
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We  say  that  terms  p  and  q  are  observationally  equivalent  over  21  if  [p]^  and  [q]^ 

def 

are  bisimilar  with  respect  to  the  autobisimulation  s  ^  t  ^  A{s)  =  A(t)  on  the  Tarskian 
frame  K%.  In  other  words,  if  A(s)  =  A(s')  and  (s,t)e  [p]^,  then  there  exists  t'  such 
that  ( s',t')e  [q]^  and  A(t)  =  A(t'),  and  vice  versa. 

The  following  is  our  main  result  on  relation  algebras. 

Theorem  7.3.  The  algebra  Rel^/  is  universal  for  the  equational  theory  of  relation 
algebras  of  Tarskian  frames  over  models  of  T  modulo  observational  equivalence.  In 
other  words ,  [p]*y=  [q]f/  iff  p  and  q  are  observationally  equivalent  over  all  models 
ofT. 

dcf 

Proof.  In  the  special  case  of  the  autobisimulation  s « t  A(s)  =  A(t),  diagram  (6) 
takes  the  form 


Tr^t 

A"1' 
Trspec  Qi - 


Ext 


Ext 


Relgt 

A 

-  Rdspec  2t 


By  Lemma  7.2,  p  and  q  are  observationally  equivalent  over  21  iff  [p]^  and  [qj^t  have 
the  same  image  under  A,  which  occurs  iff  [p]spec2i=  fqlspecSi-  But  by  Lemma  5.2, 
Rel u  is  universal  for  the  equational  theory  of  Relspec2t  for  21  I -  T.  Thus  [p]t/=  CqJc/ 
iff  [p]spec2t=  fq]spec2t  over  all  21  h  T  iff  p  and  q  are  observationally  equivalent  over 
all  models  of  T.  □ 

Can  one  capture  the  equational  theory  of  relation  algebras  of  Tarskian  frames  in  a 
Tarskian  frame?  As  with  trace  algebras,  the  answer  is  yes,  provided  we  allow  disjoint 
unions  of  Tarskian  frames:  take  the  disjoint  union  of  sufficiently  many  Tarskian  frames, 
where  “sufficiently  many”  means  that  if  there  exists  21  such  that  [pj^t  f  [qj^u  then 
there  is  at  least  one  such  frame  in  the  class  taken. 
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